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Foreword 



rd , 



This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



The present document defines the IM Services Identity Module (ISIM) application. This application resides on the 
UICC, an IC card specified in TS 31.101 [3]. In particular, TS 31.101 [3] specifies the application independent 
properties of the UlCC/terminal interface such as the physical characteristics and the logical structure. 

TS 31.101 [3] is one of the core documents for this specification and is therefore referenced in many places in the 
present document. 
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1 Scope 

The present document defines the ISIM application for access to IMS services. 
The present document specifies: 

specific command parameters; 

file structures; 

contents of EFs (Elementary Files); 

security functions; 

application protocol to be used on the interface between UICC (ISIM) and Terminal. 

This is to ensure interoperability between an ISIM and Terminal independently of the respective manufacturer, card 
issuer or operator. 

The present document does not define any aspects related to the administrative management phase of the ISIM. Any 
internal technical realisation of either the ISIM or the Terminal is only specified where these are reflected over the 
interface. The present document does not specify any of the security algorithms that may be used. 

2 References 

The following documents contain provisions that, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication and/or edition number or version number) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[I] 3GPP TS 21.1 1 1: "USIM and IC Card Requirements". 

[2] 3GPP TS 3 1 . 1 02: "Characteristics of the USIM Application" . 

[3] 3GPP TS 31.101: "UICC -Terminal Interface, Physical and Logical Characteristics". 

[4] 3GPP TS 33.102: "3G Security; Security Architecture". 

[5] 3GPP TS 33.103: "3G Security; Integration GuideUnes". 

[6] ISO/IEC 7816-4: "Identification cards - Integrated circuit cards,Part 4: Organization, security and 

commands for interchange". 

[7] Void 

[8] void 

[9] 3GPP TS 23.003: "Numbering, Addressing and Identification". 

[10] Void 

[II] Void 

[12] 3GPP TS 25.101: "UE Radio Transmission and Reception (FDD)". 

[13] 3GPP TS 23.228: "IP Multimedia Subsystem (IMS); Stage 2". 
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[14] 3GPP TS 33.203: "3G security; Access security for IP-based services". 

[15] 3GPP TS 24.228: "Signalling flows for the IP multimedia call control based on SIP and SDP; 

Stage 3". 

[16] IETF RFC 3261: "SIP: Session Initiation Protocol". 

[17] 3GPP TS 23.038: "Alphabets and language-specific information". 

[18] ISO 639 (1988): "Code for the representation of names of languages". 

[19] 3GPPTS51.011 Release4: "Specification of the Subscriber Identity Module - Mobile Equipment 

(SIM-ME) interface". 

[20] ISO/IEC 8825(1990): "Information technology - Open Systems Interconnection - Specification of 

Basic Encoding Rules for Abstract Syntax Notation One (ASN.l)" Second Edition. 

[21] 3GPP TS 22.101: "Service aspects; Service principles". 

[22] ETSI TS 102 223 Release 6: "Smait cards; Card AppUcation Toolkit (CAT)". 

[23] ETSI TS 101 220: "Smart cards; ETSI numbering system for telecommunication appUcation 

providers". 

[24] IETF RFC 2486: "The Network Access Identifier" 

[25] 3GPP TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping 

architecture" 

[26] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication". 

( http://www.ietf.org/rfc/rfc2617.txt ) 



3 Definitions, symbols, abbreviations and coding 

conventions 

3.1 Definitions 

For the purposes of the present document, the following terms and definitions apply: 

ISIM: application residing on the UICC, an IC card specified in 3GPP TS 31.101 [3] 

In particular, 3GPP TS 31.101 [3] specifies the application independent properties of the UlCC/terminal interface such 

as the physical characteristics and the logical structure 

The AID of ISIM is defined in ETSI TS 101 220 [23] and is stored in EFdir. 

ADM: access condition to an EF which is under the control of the authority which creates this file 

3.2 Symbols 

For the purposes of the present document, the following symbols apply: 

II Concatenation 

© Exclusive or 

f 1 Message authentication function used to compute MAC 

f 1 * A message authentication code (MAC) function with the property that no valuable information can 

be inferred from the function values of fl * about those of fl, ... , f5 and vice versa 

f2 Message authentication function used to compute RES and XRES 

f3 Key generating function used to compute CK 

f4 Key generating function used to compute IK 

f5 Key generating function used to compute AK 
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3.3 



Abbreviations 



For the purposes of the present document, the following abbreviations apply: 

3GPP 3"^ Generation Partnership Project 

AC Access Condition 

ADF Application Dedicated File 

AID Application IDentifier 

AK Anonymity Key 

AKA Authentication and Key Agreement 

ALW ALWays 

AMF Authentication Management Field 

ASN . 1 Abstract S yntax Notation One 

AuC Authentication Centre 

AUTN Authentication TokeN 

BER-TLV Basic Encoding Rule - TLV 

B-TID Bootstrapping Transaction IDentifier 

CK Cipher Key 

DF Dedicated File 

EF Elementary File 

FES For Further Study 

HE Home Environment 

HN Home Network 

ICC Integrated Circuit Card 

ID IDentifier 

IK Integrity Key 

IM IP Multimedia 

IMPI IM Private Identity 

IMPU IM public identity 

IMS IP Multimedia Subsystem 

ISIM IM Services Identity Module 

K long-term secret Key shared between the ISIM and the AuC 

KSI Key Set Identifier 

LI Language Indication 

LSB Least Significant Bit 

MAC Message Authentication Code 

MF Master File 

MSB Most Significant Bit 

NAI Network Access Identifier 

NEV NEVer 

PIN Personal Identification Number 

PL Preferred Languages 

PS_DO PIN Status Data Object 

RAND RANDom challenge 

RES user RESponse 

RFU Reserved for Future Use 

RST ReSeT 

SDP Session Description Protocol 

SFI Short EF Identifier 

SIP Session Initiation Protocol 

SQN SeQuence Number 

SW Status Word 

TLV Tag Length Value 

UE User Equipment 

XRES eXpected user RESponse 
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3.4 Coding Conventions 

The following coding conventions apply to the present document. 

All lengths are presented in bytes, unless otherwise stated. Each byte is represented by bits b8 to bl, where b8 is the 
most significant bit (MSB) and bl is the least significant bit (LSB). In each representation, the leftmost bit is the MSB. 

The coding of Data Objects in the present document is according to TS 31.101 [3]. 



'XX': 



Single quotes indicate hexadecimal values. Valid elements for hexadecimal values are the numbers 
'0' to '9' and 'A' to 'F'. 



Files 



This clause specifies the EFs for the IMS session defining access conditions, data items and coding. A data item is a 
part of an EF which represents a complete logical entity. 

For an overview containing all files see figure 4. 1 . 



4.1 



Contents of the EFs at the IVIF level 



There are four EFs at the Master File (MF) level. These EFs are specified in 3GPP TS 31.101 [3]. 

4.2 Contents of files at the ISIM ADF (Application DF) level 

The EFs in the ISIM ADF contain service and network related information and are required for UE to operate in an IP 
Multimedia Subsystem. 

The File IDs '6F1X' (for EFs), '5F1X' and '5F2X' (for DFs) with X ranging from '0' to 'F' are reserved under the ISIM 
ADF for administrative use by the card issuer. 



4.2.1 



Void 



4.2.2 EFiMPi (IIVIS private user identity) 

This EF contains the private user identity of the user. 



Identifier: '6F02' 




Structure 


transparent Mandatory 


SFI: "02" 




File size: X bytes 


Update activity: low 


Access Conditions: 
READ 
UPDATE 
DEACTIVATE 
ACTIVATE 




PIN 
ADM 
ADM 
ADM 




Bytes 


Description 


M/0 


Length 


1 toX 


NAI TLV data object 


M 


X bytes 



NAI 
Contents: 

Private user identity of the user. 
Coding: 
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For contents and coding of NAI TLV data object values see IETF RFC 2486 [24]. The tag value of the NAI 
TLV data object shall be '80'. 

4.2.3 EFdomain (Home Network Domain Name) 

This EF contains the home operator"s network domain name SIP URL 



Identifier: '6F03' 


Structure: transparent 


Mandatory 


SFI: "05" 




File size: X bytes 


Update activity: low 


Access Conditions: 

READ PIN 
UPDATE ADM 
DEACTIVATE ADM 
ACTIVATE ADM 


Bytes 


Description 


M/0 


Length 


1 toX 


URI TLV data object 


M 


X bytes 



URI 

Contents: 

Home Network Domain Name SIP URI. 

Coding: 

For contents and coding of URI TLV data object values see IETF RFC 3261 [16]. The tag value of the URI 
TLV data object shall be '80'. 



4.2.4 EFiMPu (IMS public user identity) 

This EF contains one or more public SIP Identities (SIP URI) of the user. 



Identifier: '6F04' 






Structure: 


linear fixed Mandatory 


SFI: "04" 




Record length: X 


bytes 






Update activity: low 


Access Conditions: 
READ 
UPDATE 
DEACTIVATE 
ACTIVATE 






PIN 
ADM 
ADM 
ADM 




Bytes 


Description 


M/0 


Length 


1 toX 


URI TLV data object 


M 


X bytes 



URI 

Contents: 

SIP URI by which other parties know the subscriber. 

Coding: 

For contents and coding of URI TLV data object values see IETF RFC 3261 [16]. The tag value of the URI 
TLV data object shall be '80'. 
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4.2.5 EFad (Administrative Data) 

This EF contains information concerning the mode of operation according to the type of ISIM, such as normal (to be 
used by IMS subscribers for IMS operations), type approval (to allow specific use of the Terminal during type approval 
procedures of e.g. the network equipment), manufacturer specific (to allow the Terminal manufacturer to perform 
specific proprietary auto-test in its Terminal during e.g. maintenance phases). 

It also provides an indication of whether some Terminal features should be activated during normal operation. 



Identifier: '6FAD' 


Structure 


transparent | 


Mandatory 


SFI: '03' 


1 


File size: 3+X bytes 




Update activity 


low 


Access Conditions: 
READ 
UPDATE 
DEACTIVATE 
ACTIVATE 


ALW 

ADM 
ADM 
ADM 






Bytes 


Description 


M/0 


Length 


1 


UE operation mode 


M 


1 byte 


2 to 3 


Additional information 


M 


2 bytes 


4 to 3+X 


RFU 





X bytes 



UE operation mode: 
Contents: 

mode of operation for the UE 
Coding: 

Initial value 

'00' normal operation. 
'80' type approval operations. 
'01' normal operation + specific facilities. 
'81' type approval operations + specific facilities. 
'02' maintenance (off line). 
Additional information: 
Coding: 

specific facilities (if bl=l in byte 1); 

Bytes 2 and 3 (first byte of additional information): 



b8 



b7 



b6 



b5 



b4 



b3 



b2 



bl 



RFU (see TS 31.101) 



4.2.6 EFarr (Access Rule Reference) 



This EF contains the access rules for files located under the ISIM ADF in the UICC. If the security attribute tag '8B' is 
indicated in the FCP it contains a reference to a record in this file. 
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Structure of EFarr at ADF-level 



Identifier: '6F06' 


1 


Structure: 


Linear fixed | Mandatory 


SFI: '06' 




Record Length: 


X bytes 




Update activity: low 


Access Conditions: 
READ 
UPDATE 
DEACTIVATE 
ACTIVATE 




ALW 
ADM 
ADM 
ADM 




Bytes 


Description 


M/0 


Length 


1 toX 


Access Rule TLV data objects 


M 


X bytes 



This EF contains one or more records containing access rule information according to the reference to expanded format 
as defined in ISO/IEC 7816-4 [6]. Each record represents an access rule. Unused bytes in the record are set to 'FF'. 

If the card cannot access EFarr , any attempt to access a file with access rules indicated in this EFarr shall not be 
granted. 

4.2.7 EFisT (ISIM Service Table) 

This EF indicates which optional services are available. If a service is not indicated as available in the ISIM, the ME 
shall not select this service. The presence of this file is mandatory if optional services are provided in the ISIM. 



Identifier: '6F07' Structure: transparent | Optional 


SFI: '07' 




File size: X bytes, X >= 1 


Update activity: low 


Access Conditions: 

READ PIN 
UPDATE ADM 
DEACTIVATE ADM 
ACTIVATE ADM 


Bytes 


Description 


M/0 


Length 


1 


Services n°1 to n°8 


M 


1 byte 


2 


Services n°9 to n°16 





1 byte 


3 


Services n°17to n°24 





1 byte 


4 


Services n°25to n°32 





1 byte 


etc. 








X 


Services n°(8X-7) to n°(8X) 





1 byte 



-Services 
Contents: Service n°1: 
Service n°2 



P-CSCF address 

Generic Bootstrapping Architecture (GBA) 



The EF shall contain at least one byte. Further bytes may be included, but if the EF includes an optional byte, then it is 
mandatory for the EF to also contain all bytes before that byte. Other services are possible in the future and will be 
coded on further bytes in the EF. The coding falls under the responsibility of the 3GPP. 

Coding: 

1 bit is used to code each service: 
bit = 1 : service available; 
bit = 0: service not available. 

Service available means that the ISIM has the capability to support the service and that the service is available 
for the user of the USIM. 

Service not available means that the service shall not be used by the ISIM user, even if the ISIM has the 
capability to support the service. 
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First byte: 



b8 



b7 



b6 



B5 



b4 



b3 



b2 



bl 



Service n°l 

Service n°2 

Service n°3 

Service n°4 

Service n°5 

Service n°6 

Service n°7 

Service n°8 



Second byte: 



b8 b7 b 



B5 b4 b3 b2 bl 



Service n°9 

Service n°10 

Service n°ll 

Service n°12 

Service n°13 

Service n°14 

Service n°15 

Service n°16 



etc. 

4.2.8 EFp.cscF (P-CSCF Address) 

This EF does not apply for 3GPP and shall not be used by a terminal using a 3GPP access network or a 3GPP 
Interworking WLAN. 

NOTE: The current 3GPP procedures for P-CSCF discovery provide a flexible way for the UE to discover the P- 
CSCF address(es). Procedures include both GPRS PDP context based solution and a generic DHCP based 
approach that can be used for other access technologies. 

This EF contains one or more Proxy Call Session Control Function addresses. The first record in the EF shall be 
considered to be of the highest priority. The last record in the EF shall be considered to be the lowest priority. 



Identifier: '6F09' 


Structure: 


linear fixed 




Optional 






Record length: 


X bytes 




Update activity: low 


Access Conditions: 
READ 
UPDATE 
DEACTIVATE 
ACTIVATE 




PIN 

ADM 
ADM 
ADM 






Bytes 


Description 


M/O 


Length 


1 toX 


P-CSCF Address 


TLV data object 




M 


X bytes 



P-CSCF 

Contents: 



Address of Proxy Call Session Control Function, in the format of a FQDN, an IPv4 address, or an IPv6 
address. 



Coding: 
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The tag value of this P-CSCF address TLV data object shall be '80'. The format of the data object is as 
follows: 



Field 


Length (bytes) 


Tag 


1 


Length 


1 



Address Type 


1 


P-CSCF Address 


Address Length 



Address Type: Type of the P-CSCF address. 

This field shall be set to the type of the P-CSCF address according to the following: 



Value 


Name 


0x00 


FQDN 


0x01 


IPv4 


0x02 


IPv6 


All other values are 
reserved 





P-CSCF Address: Address of the Proxy Call Session Control Function 

This field shall be set to the address of the Proxy Call Session Control Function. 
Unused bytes shall be set to 'FF'. 

4.2.9 EFgbabp (GBA Bootstrapping parameters) 

This EF contains the AKA Random challenge (RAND) and Bootstrapping Transaction Identifier (B-TID) associated 
with a GBA bootstrapping procedure. This file shall be present if the GBA service (service number 2) is allocated in 
EFisT (ISIM Service Table). 



Identifier: '6FD5' Structure: transparent 


Optional 


File length: L-hX+N+3 bytes Update activity: 


low 


Access Conditions: 

READ PIN 
UPDATE PIN 
DEACTIVATE ADM 
ACTIVATE ADM 


Bytes 


Description 


M/0 


Length 


1 


Length of RAND (16) 


M 


1 byte 


2to(X-Hl) 


RAND 


M 


X bytes 


X+2 


Length of B-TID (L) 


M 


1 byte 


(X+3) to (X+2+L) 


B-TID 


M 


L bytes 


X-hUS 


Length of l<ey lifetime 


M 


1 byte 


(X-HL-H4) to 
(X+L+N+3) 


Key lifetime 


M 


N bytes 



£75/ 



3GPP TS 31.103 version 6.8.0 Release 6 



15 



ETSI TS 131 103 V6.8.0 (2005-06) 



- Length of RAND 

Contents: number of bytes, not including this length byte, of RAND field 

- RAND 

Contents: Random challenge used in the GBA_U bootstrapping procedure. 
Coding: as defined in 33.103 [13] 

- Length of B-TID 

Contents: number of bytes, not including this length byte, of B-TID field 

- B-TID 

Content: Bootstrapping Transaction Identifier the GBA_U bootstrapped keys 
Coding: As defined in TS 33.220 [25] 

Length of key lifetime 

Contents: number of bytes, not including this length byte, of key lifetime field 

Key lifetime 

Content: Lifetime of the GBA_U bootstrapped keys 

Coding: As defined in TS 33.220 [25] 

4.2.10 EFgbanl (GBA NAF List) 

If service n°68 is "available", this file shall be present. 

This EF contains the list of NAF_ID and B-TID associated to a GBA NAF derivation procedure. 



Identifier: '6FD7' Structure: Linear fixed 


1 


Optional 


Record length: Z bytes 


Update activity: 


ow 


Access Conditions: 

READ PIN 

UPDATE ADM 

DEACTIVATEADM 

ACTIVATE ADM 


Bytes 


Description 


M/0 


Length 


1 toZ 


NAF Key Identifier TLV objects 


M 


Z bytes 



NAF Key Identifier tags 



Description 


Tag Value 


NAF ID Tag 


'80' 


B-TID Tag 


'81' 



NAF Key Identifier information 



Description 


Value 


IVI/0 


Length (bytes) 


NAF ID Tag 


'80' 


M 


1 


Length 


X 


M 


Note 


NAF ID value 


- 


M 


X 


B-TID Tag 


'81' 


M 


1 


Length 


Y 


M 


Note 


B-TID value 


- 


M 


Y 


NOTE: The length is coded according to ISO/IEC 8825 [20] 





NAF_ID Tag '80' 
Contents: 
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Identifier of Network Application Function used in the GB A_U NAF Derivation procedure. 
Coding: 

- As defined in 33.220 [25] 
- B-TIDTag'81' 

Content: 

Bootstrapping Transaction Identifier of the GB A_U bootstrapped key 
Coding: 

- As defined in TS 33.220 [25] 
Unused bytes shall be set to 'FF' 



4.3 



ISIM file structure 



This subclause contains a figure depicting the file structure of the ADFisim- ADFisim shall be selected using the AID and 
information in EFdir. 



ADF„ 



EFiMpi 
'6F02' 



EFpoMAIN 

'6F03' 



EFiMpu 
'6F04' 



EFad 
'6FAD' 



EFarr 
'6F06' 



EFp_cscF 
'6F09' 



EFgbap 
'6FD5' 



EFgbanl 
'6FD7' 



Figure 1 : File identifiers and directory structures of ISIM 



Application protocol 



The requirements stated in the corresponding section of 3GPPTS 31.101 [3] apply to the ISIM application. 

The procedures listed in subclause "ISIM management procedures" are required for execution of the procedures in the 
subsequent subclauses "ISIM security related procedures" and "Subscription related procedures". The procedures listed 
in subclauses "ISIM security related procedures" are mandatory. The procedures listed in "Subscription related 
procedures" are only executable if the associated services, which are optional, are provided in the ISIM. However, if the 
procedures are implemented, it shall be in accordance with subclause "Subscription related procedures". 

5.1 ISIM management procedures 
5.1.1 Initialisation 



5.1.1.1 



ISIM application selection 



If the Terminal wants to engage in IMS operation, then after UICC activation (see 3GPP TS 31.101 [3]), the Terminal 
shall select an ISIM application, if an ISIM application is listed in the EFdir file, using the SELECT by DF name as 
defined in 3GPPTS 31.101. 
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After a successful ISIM application selection, the selected ISIM (AID) is stored on the UICC. This application is 
referred to as the last selected ISIM application. The last selected ISIM application shall be available on the UICC after 
a deactivation followed by an activation of the UICC. 

If a ISIM application is selected using partial DF name, the partial DF name supplied in the command shall uniquely 
identify a ISIM application. Furthermore if a ISIM application is selected using a partial DF name as specified in TS 
31.101 [3] indicating in the SELECT command the last occurrence the UICC shall select the ISIM application stored as 
the last ISIM application. If, in the SELECT command, the options first, next/previous are indicated, they have no 
meaning if an application has not been previously selected in the same session and shall return an appropriate error 
code. 

5.1.1.2 ISIM initialisation 

The ISIM shall not indicate any language preference. It shall use the language indicated by any other application 
currently active on the UICC or by default, choose a language from EFpL at the MF level according the procedure 
defined in 3GPP TS 31.101[3]. 

If the terminal does not support the languages of EFpL, then the terminal shall use its own internal default selection. 

The Terminal then runs the user verification procedure. If the procedure is not performed successfully, the ISIM 
initialisation stops. 

Then the Terminal performs the administrative information request. 

If all these procedures have been performed successfully then the ISIM session shall start. In all other cases the ISIM 
session shall not start. 

After the previous procedures have been completed successfully, the Terminal runs the following procedures: 

IMPI request. 

- IMPU request. 

- SIP Domain request. 

ISIM Service Table request. If the ISIM Service Table is not present, the terminal shall assume that no optional 
services are available. 

P-CSCF address request 

After the ISIM initialisation has been completed successfully, the Terminal is ready for an ISIM session and shall 
indicate this to the ISIM by sending a particular STATUS command. 

5.1 .2 ISIM Session termination 

NOTE 1: This procedure is not to be confused with the deactivation procedure in 3GPP TS 31.101 [3]. 

The ISIM session is terminated by the Terminal as follows. 

The Terminal shall indicate to the ISIM by sending a particular STATUS command that the termination procedure is 
starting. 

Finally, the ME deletes all these subscriber related information elements from its memory. 

NOTE 2: If the Terminal has already updated any of the subscriber related information during the ISIM session, 
and the value has not changed until ISIM session termination, the Terminal may omit the respective 
update procedure. 

To actually terminate the session, the Terminal shall then use one of the mechanisms described in 3GPP TS 31.101 [3]. 

5.1 .3 ISIM application closure 

After termination of the ISIM session as defined in subclause 5.1.2, the ISIM application may be closed by closing the 
logical channels that are used to communicate with this particular ISIM application. 
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5.1 .4 UICC presence detection 

The Terminal checks for the presence of the UICC according to 3GPP TS 31.101 [3] within all 30 s periods of inactivity 
on the UICC-Terminal interface during a IMS session. If the presence detection according to 3GPP TS 31.101 [3] fails 
the session shall be terminated as soon as possible but at least within 5s after the presence detection has failed. 

5.1 .5 Administrative information request 

The Terminal performs the reading procedure with EFad- 

5.2 ISIM security related procedures 

5.2.1 Autinentication procedure 

The Terminal selects an ISIM application and uses the AUTHENTICATE command (see subclause 7.1). The response 
is sent to the Terminal(in case of the T=0 protocol when requested by a subsequent GET RESPONSE command). 

5.2.2 IMPI request 

The Terminal performs the reading procedure with EFaipi. 

5.2.3 IMPU request 

The Terminal performs the reading procedure with EFimpu. 

5.2.4 SIP Domain request 

The Terminal performs the reading procedure with EFdqmain- 

5.2.5 Void 

5.2.6 ISIM Service Table request 

Requirement: ISIM Service Table available in the ISIM 
Request: The ME performs the reading procedure with EFux. 

5.2.7 P-CSCF address request 

Requirement: USIM Service n°y "available". 

Request: The ME performs the reading procedure with EFp.cscF- 

5.2.8 Generic Bootstrapping architecture (Bootstrap) 

The Terminal uses the AUTHENTICATE command in GBA security context (Bootstrapping Mode) (see 7.1.1). The 
response is sent to the Terminal. 

After a successful GBA_U Procedure, the Terminal shall update the B-TID field and the Key Life Time field in 
EFgbabp. 

5.2.9 Generic Bootstrapping architecture (NAF Derivation) 

The Terminal shall first read EFgbabp- The Terminal then uses the AUTHENTICATE command in GBA security 
context (NAF Derviation Mode) (see 7.1.1). The response is sent to the Terminal. 
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Security features 



The security aspects of IMS are specified in 3GPP TS 33.203 [14]. This clause gives information related to security 
features supported by the ISIM with respect to user verification and file access conditions. 

6.1 User verification and file access conditions 

The security architecture as defined in 3GPP TS 31.101 [3] applies to the ISlM and UlCC with the following definitions 
and additions: 

The ISIM application shall use a global key referenceas PINl as specified in 3GPP TS 31.101 [3]. 

For access to DFtelecom the PIN shall be verified. 

The only valid usage qualifier is '08' which means user authentication knowledge based (PIN) as defined in 
ISO/IEC 7816-4 [6]. 



7 ISIIVI Commands 

The commands specified in 3GPP TS 31.101 are supported by ISIM, with the restrictions identified in this clause. 

7.1 AUTHENTICATE 

7.1.1 Command (description 

The function can be used in several different contexts: 

an IMS AKA security context during the procedure for authenticating the ISIM to its HN and vice versa when 
IMS AKA authentication data are available. The function shall be used whenever an IMS context shall be 
established, i.e. when the terminal receives a challenge from the IMS. A cipher key and an integrity key are 
calculated. For the execution of the command the ISIM uses the subscriber authentication key K, which is stored 
in the ISIM. 

a HTTP Digest security context, when HTTP Digest authentication data are available. Digest authentication 
operations are described in IETF RFC 2617 [26]. 

a GBA_U security context, when a GBA bootstrapping procedure is requested. In this context the function is 
used in two different modes: 

a) Bootstrapping Mode: during the procedure for muthual authenticating of the ISIM and the Bootstrapping 
Server Function (BSF) and for deriving Bootstrapped key material from the AKA run. 

b) NAF Derivation Mode: during the procedure for deriving Network Application Function (NAF) specific keys 
from previous bootstrapped key material. 

The function is related to a particular ISIM and shall not be executable unless the ISIM application has been selected 
and activated, and the current directory is the ISIM ADF or any subdirectory under this ADF and a successful PIN 
verification procedure has been performed (see clause 5). 

7.1.1.1 IMS AKA security context 

The ISIM first computes the anonymity key AK = fSx (RAND) and retrieves the sequence number SQN = (SQN ® AK) 

e AK. 

Then the ISIM computes XMAC = fix (SQN II RAND II AMF) and compares this with the MAC which is included in 
AUTN. If they are different, the ISIM abandons the function. 
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Next the ISIM verifies that the received sequence number SQN is previously unused. If it is unused and its value is 
lower than SQNms, it shall still be accepted if it is among the last 32 sequence numbers generated. A possible 
verification method is described in 3GPP TS 33.102 [4]. 

NOTE: This implies that the ISIM has to keep a list of the last used sequence numbers and the length of the list is 
at least 32 entries. 

If the ISIM detects the sequence numbers to be invalid, this is considered as a synchronisation failure and the ISIM 
abandons the function. In this case the command response is AUTS, where: 

- AUTS = ConciSQNMs )\\MACS; 

- Conc(SQNMs) = SQNms <9f5*K(RAND) is the concealed value of the counter SQNms in the ISIM; and 

- MACS= fl *k(SQNms 1 1 RAND 1 1 AMF) where: 

RAND is the random value received in the current user authentication request; 

the AMF assumes a dummy value of all zeroes so that it does not need to be transmitted in clear in the 
resynchronisation message. 

If the sequence number is considered in the correct range, the ISIM computes RES = f2K (RAND), the cipher key 
CK = f3K (RAND) and the integrity key IK = f4K (RAND) and includes these in the command response. Note that if 
this is more efficient, RES, CK and IK could also be computed earlier at any time after receiving RAND. 

The use of AMF is HN specific and while processing the command, the content of the AMF has to be interpreted in the 
appropriate manner. The AMF may e.g. be used for support of multiple algorithms or keys or for changing the size of 
lists, see 3GPPTS 33.102 [4]. 

7.1 .1 .2 GBA security context (Bootstrapping Mode) 

ISIM operations in GBA security context are supported if service n°2 is "available". 

The ISIM receives the RAND and AUTN. The ISIM first computes the anonymity key AK = fSx (RAND) and retrieves 
the sequence number SQN = (SQN AK) AK. 

The ISIM calculates IK = f4K (RAND) and MAC (by performing the MAC modification function described in TS 
33.220 [25]). Then the ISIM computes XMAC = fix (SQN II RAND II AMF) and compares this with the MAC 
previously produced. If they are different, the ISIM abandons the function. 

Then the ISIM proceeds as in IMS security context by checking AUTN. If the ISIM detects the sequence numbers to be 
invalid, this is considered as a synchronisation failure and the ISIM abandons the function. In this case the command 
response is AUTS, which is computed as in ISIM security context. 

If the sequence number is considered in the correct range, the ISIM computes RES = f2K (RAND) and the cipher key 
CK = f3K (RAND). 

The ISIM then derives and stores GBA_U bootstrapped key material from CK, IK values. The ISIM also stores RAND 
in the RAND field of EFgbabp 

The ISIM stores GBA_U bootstrapped key material from only one bootstrapping procedure. The previous bootstrapped 
key material, if present, shall be replaced by the new one. This key material is linked with the data contained in EFgbabp 
: RAND, which is updated by the ISIM and B-TID, which shall be further updated by the ME. 

NOTE: According to TS 33.220 [25], NAF-specific keys that may be stored on the ISIM are not affected by this 
bootstrapping operation. 

RES is included in the command response after flipping the least significant bit. 

Input: 

- RAND, AUTN 
Output: 

- RES 
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- AUTS 

7.1 .1 .3 GBA security context (NAF Derivation Mode) 

ISIM operations in GBA security context are supported if service n°2 is "available". 

The ISIM receives the NAF_ID. 

The ISIM performs Ks_ext_NAF and Ks_int_NAF derivation as defined in TS 33.220 [25] using the key material from 
the previous GBA_U bootstrapping procedure and the IMPI value from EFimpi 

If no key material is available this is considered as a GBA Bootstrapping failure and the ISIM abandons the function. 
The status word "6985" (Conditions of use not satisfied) is returned. 

Otherwise, the ISIM stores Ks_int_NAF and associated B-TID together with NAF_ID in its memory. The Ks_int_NAF 
keys related to other NAF_IDs, which are already stored in the ISIM, shall not be affected. The ISIM updates EFqbanl 
as follows: 

If a record with the given NAF_ID already exists, the ISIM updates the B-TID field of this record with the B- 
TID value associated to the GBA_U bootstrapped key involved in this GBA_U NAF derivation procedure. 

If a record with the given NAF_ID does not exist, the ISIM uses an empty record to store the NAF_ID and the 
B-TID value associated to the GBA_U bootstrapped key involved in this GBA_U NAF Derivation procedure. 

NOTE: According to TS 33.220 [25], the ISIM can contain several Ks_int_NAF together with the associated B-TID 
and NAF_ID, but there is at most one pair of Ks_int_NAF and associated B-TID stored per NAF_ID. 

Then, the ISIM returns Ks_ext_NAF. 

Input: 

- NAF_ID 
Output: 

- Ks ext NAF 



7.1 .2 Command parameters and data 



Code 


Value 


CLA 


As specified in 3GPP TS 31.101 


INS 


'88' 


P1 


'00' 


P2 


See table below 


Lc 


See below 


Data 


See below 


Le 


'00', or maximum length of data expected in response 



Parameter P2 specifies the authentication context as follows: 
Coding of the reference control P2: 



£75/ 



3GPP TS 31.103 version 6.8.0 Release 6 



22 



ETSI TS 131 103 V6.8.0 (2005-06) 



Coding 
b8-b1 


Meaning 


'1 ' 


Specific reference data (e.g. DF 
specific/application dependant l<ey) 


'-XXXXXX-' 


'000000' 


' XXX' 


Authentication context: 

000 Reserved 

001 IMS AKA 
010 HI IP Digest 
100 GBA context 



All other codings are RFU. 
Command parameters/data: 



7.1.2.1 



IMS AKA security context 



Byte(s) 


Description 


Length 


1 


Length of RAND (L1) 


1 


2to(L1+1) 


RAND 


L1 


(L1+2) 


Length of AUTN (L2) 


1 


(LI +3) to 
(L1+L2+2) 


AUTN 


L2 



The coding of AUTN is described in 3GPP TS 33.102 [4]. The most significant bit of RAND is coded on bit 8 of byte 2. 
The most significant bit of AUTN is coded on bit 8 of byte (Ll+3). 

Response parameters/data, case 1, command successful: 



Byte(s) 


Description 


Length 


1 


"Successful 3G authentication" tag = 'DB' 


1 


2 


Length of RES (L3) 


1 


3 to (L3+2) 


RES 


L3 


(L3+3) 


Length of CK (L4) 


1 


(L3+4) to 
(L3+L4+3) 


CK 


L4 


(L3+L4+4) 


Length of IK (L5) 


1 


(L3+L4+5) to 
(L3+L4+L5+4) 


IK 


L5 



The most significant bit of RES is coded on bit 8 of byte 3. The most significant bit of CK is coded on bit 8 of byte 
(L3+4). The most significant bit of IK is coded on bit 8 of byte (L3+L4+5). 

Response parameters/data, case 2, synchronization failure: 



Byte(s) 


Description 


Length 


1 


"Synchronisation failure" tag = 'DC 


1 


2 


Length of AUTS(L1) 


1 


3 to (LI +2) 


AUTS 


L1 



The coding of AUTS is described in 3GPP TS 33.102 [4]. The most significant bit of AUTS is coded on bit 8 of byte 3. 
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7.1.2.2 



HTTP Digest security context 



Byte(s) 


Description 


Length 


1 


Length of realm (L1) 


1 


2to(L1+1) 


Realm 


LI 


(LI +2) 


Length of nonce (L2) 


1 


(LI +3) to 
(L1+L2+2) 


Nonce 


L2 


(L1+L2+3) 


Length of cnonce (L3) 


1 


(L1+L2+4)to 
(L1+L2+L3+3) 


Cnonce 


L3 



The codings of realm, nonce and cnonce are described in IETF RFC 2617 [26]. 
Response parameters/data command successful: 



Byte(s) 


Description 


Length 


1 


"HTTP Digest context reponse" tag = 'DB' 


1 


2 


Length of Response(L4) 


1 


3 to (L4+2) 


Response 


L4 


(L4+3) 


Length of Session Key (L5) 


1 


(L4+4) to 
(L4+L5+3) 


Session Key 


L5 



7.1.2.3 



GBA security context (Bootstrapping Mode) 



Byte(s) 


Description 


Length 


1 


'GBA Security Context Bootstrapping IVIode' tag = "DD" 


1 


2 


Length of RAND (L1) 


1 


3to(L1+2) 


RAND 


L1 


(L1+3) 


Length of AUTN (L2) 


1 


(L1+4)to 
(L1+L2+3) 


AUTN 


L2 



Response parameters/data, GBA security context (Bootstrapping Mode), synchronisation failure: 



Byte(s) 


Description 


Length 


1 


"Synchronisation failure" tag = 'DC 


1 


2 


Length of AUTS(L1) 


1 


3to(L1+2) 


AUTS 


L1 



AUTS coded as for IMS Security context. 

Response parameters/data, GBA security context (Bootstrapping Mode), command successful: 



Byte(s) 


Description 


Length 


1 


"Successful GBA operation" tag = 'DB' 


1 


2 


Length of RES (L) 


1 


3 to (L+2) 


RES 


L 



RES coded as for IMS Security context. 

7.1 .2.4 GBA security context (NAF Derivation Mode) 



Byte(s) 


Description 


Length 


1 


'GBA Security Context NAF Derivation IVIode' tag = "DE" 


1 


2 


Length of NAF ID(L1) 


1 


3to(L1+2) 


NAF ID 


L1 
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Response parameters/data, GBA security context (NAF Derivation Mode), command successful: 



Byte(s) 


Description 


Length 


1 


"Successful GBA operation" tag = 'DB' 


1 


2 


Length of Ks ext NAF (L) 


1 


3 to (L+2) 


Ks ext NAF 


L 



Coding of Ks_ext_NAF as described in TS 33.220 [25]. 

7.1 .3 Status Conditions Returned by tine ISIM 

Status of the card after processing of the command is coded in the status bytes S Wl and SW2. This subclause specifies 
coding of the status bytes in the following tables. 

7.1 .3.1 Security management 



SW1 


SW2 


Error description 


'98' 


'62' 


- Authentication error, incorrect IVIAC 
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7.1.3.2 Status Words of the Commands 

The following table shows for each command the possible status conditions returned (marked by an asterisk *). 

Commands and status words 



Status Words 


AUTHENTICATE 


90 00 


* 


91 XX 


* 


93 00 




98 50 




98 62 


* 


62 00 


* 


62 81 




62 82 




62 83 




63 CX 




64 00 


* 


65 00 


* 


65 81 


* 


67 00 


* 


67 XX - (see note) 


* 


68 00 


* 


68 81 


* 


68 82 


* 


69 81 




69 82 


* 


69 83 




69 84 


* 


69 85 


* 


69 86 




6A80 




6A81 


* 


6A82 




6A83 




6A86 


* 


6A87 




6A88 


* 


6B00 


* 


6E00 


* 


6F00 


* 


6F XX - (see note) 


* 


NOTE: Except SW2 = '00'. | 



7.2 



GET CHALLENGE 



The GET CHALLENGE command is optional for the ISIM application. 



8 



void 



£75/ 



3GPP TS 31.103 version 6.8.0 Release 6 



26 



ETSI TS 131 103 V6.8.0 (2005-06) 



Annex A (informative): 

EF changes via Data Download or CAT applications 

This annex defines if changing the content of an EF by the network (e.g. by sending an SMS), or by a CAT Application 
[22], is advisable. Updating of certain EFs "over the air" could result in unpredictable behavior of the UE; these are 
marked "Caution" in the table below. Certain EFs are marked "No"; under no circumstances should "over the air" 
changes of these EFs be considered. 



File identification 


Description 


Change advised 


'6F02' 


IMS private user identity 


Caution (note) 


'6F03' 


Home Networl< Domain Name 


Caution (note) 


'6F04' 


IIVIS public user identity 


Caution (note) 


'6 FAD' 


Administrative Data 


Caution 


'6F06' 


Access Rule Reference 


Caution 


"6F07" 


ISIIVI Service Table 


Caution 


"6F09" 


P-CSCF address 


Caution (note) 


'6FD5" 


GBA Bootstrapping parameters 


Caution 


'6FD7" 


GBA NAF List 


Caution 


NOTE: If EFiMPi, EFimpu, EFdomain or P-CSCF are changed, the UICC should issue a CAT 
REFRESH command [22]. 
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Annex B (informative): 
Tags defined in 31.103 



Tag 


Name of Data Element 


Usage 


'80' 


URI TLV data object 


IMPI, IMPU, DOMAIN 


'DB' 


Successful IMS authentication 


Response to AUTHENTICATE 


'DC 


Synchronisation failure 


Response to AUTHENTICATE 


'80' 


P-CSCF TLV data object 


P-CSCF 



NOTE: the value 'FF' is an invalid tag value. For ASN.l tag assignment rules see ISO/IEC 8825 [20] 
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Annex C (informative): 

Suggested contents of the EFs at pre-personalization 

If EFs have an unassigned value, it may not be clear from the main text what this value should be. This annex suggests 
values in these cases. 



File Identification 


Description 


Value 








'6F02' 


IMS private user identity 


"8000FF...FF" 


'6F03' 


Home Networl< Domain Name 


"8000FF...FF" 


'6F04' 


IIVIS public user identity 


"8000FF...FF" 


'6FAD' 


Administrative Data 


Operator dependant 


'6F06' 


Access Rule Reference 


Card issuer/operator dependant 


'6FD5" 


GBA Bootstrapping parameters 


"FF...FF" 


"6F07" 


ISIM Service Table 


Operator dependant 


"6F09" 


P-CSCF address 


Operator dependant 


"6FD7" 


GBA NAF List 


"FF...FF" 
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Annex D (informative): 
List of SFI Values 

This annex lists SFI values assigned in the present document. 



D.1 List of SFI Values at the ISIM ADF Leve 


File Identification 


SFI 


Description 


'6F02' 


'02' 


IMS private user identity 


'6F03' 


'05' 


Home Networl< Domain Name 


'6F04' 


'04' 


IIVIS public user identity 


'6FAD' 


'03' 


Administrative Data 


'6F06' 


'06' 


Access Rule Reference 


"6F07" 


"07" 


ISIIVI Service Table 



All other SFI values are reserved for future use. 
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Annex E (informative): 

ISIIVI Application Session Activation / Termination 

The purpose of this annex is to illustrate the different Application Session procedures. 

Terminal UICC 

Application selection 



Application initialisation , 
procedure ^ 



Application initialisation 
procedure is terminated 





Select A! D=ISIM 






Select File 




Read Binary 


^ 


Status 


^ 




(P1='01') 





Figure E.I : ISIM Application Session Activation procedure 



Terminal 



UICC 



Application 

termination procedure 
is started 



Application termination 
procedure ^ 





status 






(P1='02') 
Select File 




Update Binary 


^ 


Select AID=ISIM 


^ 




(P2='40') 





Application closure 



Figure E.2: ISIM Application Session Termination procedure 
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Annex F (informative): 
Change History 
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